Forum Discussion
rafaelbn
Cirrostratus
CirrostratusDiffie-Hellman "p" length 1024/2048 bits
Hey folks! Spoiler: very tricky question ahead!
On diffie-hellman negotiation (TLSv1.2 and TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 cipher-suite to be more specific), the length of p (aka the size 1024/2048 bits) is dependent of just configuration or could the certificate issued influece it?
I ask this because I have two VS that share the same cipher-suites on the client-ssl profile but negotiate different sizes: one is 1024 and the other is 2048. And I read this K82014843 that BIG-IP is not supposed to use 2048 (as in it's not implemented) and to my surprised I'm getting 2048bits DH on my tests.
Any tips for me?
Thanks!
When it comes to handshake, the ciphers alone play role in negotiation. The certificate has no play here.
The DHE suites are 1024 alone in F5, if you had seen a 2048 bit, It should have been ECDHE.
Can you put a logging rule to confirm if it indeed was DHE suite and not ECDHE ?
jaikumar_f5MVP
When it comes to handshake, the ciphers alone play role in negotiation. The certificate has no play here.
The DHE suites are 1024 alone in F5, if you had seen a 2048 bit, It should have been ECDHE.
Can you put a logging rule to confirm if it indeed was DHE suite and not ECDHE ?
rafaelbnHello Jaikumar! Thanks for the reply.
I will investigate it further. But will let you know.
Do you recommend any article/training that explain this? I wish to understand this type of thing better.
Thanks!